PayPal to Offer Members Increased Security Option

Intending to boost consumer confidence in its online payment system -- and to thwart the scourge of phishing attacks aimed at its users -- eBay's PayPal will begin offering customers the option of using a password-generating device to beef up security.

The system will use a key fob, known as the PayPal Security Key, an electronic key that can be clipped onto a key chain and can generate a random six-digit security code every 30 seconds. In order to log onto their PayPal accounts, users will have to enter the code with their ID and password.

Business users will be given the key fob -- made for eBay by VeriSign -- free of charge; nonbusiness users will pay a one-time charge of US$5.

Although the actual security improvements will be minimal, the two-factor authentication could enhance security considerably for PayPal users. PayPal customers are a favorite target of phishing scams, in which fraudulent e-mails claiming to be from PayPal encourage users to enter their IDs, passwords and other data into a fake or spoofed Web site.

Even if a phishing attack tricked a user into turning over all three forms of identification, the new random passcode would expire by the time the phisher attempted to access the user's PayPal account.

Its Time Has Come

The use of random password generators has found a niche in some corporate and government settings as an alternative to more advanced technology, such as fingerprint readers or retina scanners.

Still, despite some high-profile security snafus, consumers are not yet clamoring for more security -- at least, not additional security measures that are seen as an inconvenience.

Banks and other financial institutions are among those that must lead the charge toward more robust online security solutions. Some banks currently require a second password or ask customers to designate a specific computer as a single access point for online banking, said Gartner analyst Avivah Litan.

"Banks are recognizing that they must move beyond simple passwords," Litan said. While still viable for less sensitive Web sites and transactions, passwords alone are "no longer adequate for Internet banking." she added.

Not Going Phishing

Meanwhile, the continued rise of phishing attacks has become troubling for many in the e-commerce community, in which identity theft is seen as a potential drag on the growth of online business -- especially in convincing reluctant consumers to shop online for the first time.

According to security firm MessageLabs, more than half of the millions of malicious e-mails it intercepts each month are now phishing-related.

PayPal regularly ranks at or near the top of all companies that have their e-mail addresses spoofed by phishers. Banks are also a favorite target because they offer attackers the opportunity to gain direct access to a user's financial information if the attack is successful.

The number of phishing attacks has more than doubled since 2004. Whereas most such attacks fail to hit their mark, the successful ones can result in significant losses of more than $1,200 per attack.

Last year, banks racked up more than $2.7 billion worth of direct losses, such as fraudulent credit card payments that are written off, according to Gartner.

"There is also the risk of additional losses due to lower confidence in the security of the online world," Litan added.

Reaction is Mostly Positive

eBay said the PayPal Security Key is now in beta testing, primarily by eBay employees, but should be widely available in the United States and select countries within two months.

Reaction on eBay message boards has been largely positive, though some commented that eBay should give the key fobs away for free, as they are likely to boost sales by increasing the buyer's sense of security.